An Amazon Virtual Private Cloud (Amazon VPC) endpoint enables a private connection between a VPC and another AWS service without leaving the Amazon network. An endpoint enables Amazon Elastic Compute Cloud (Amazon EC2) instances to communicate with an Amazon service in the same region from their private IP addresses. It does not require traversal over the Internet or through a NAT instance, a VPN connection, or AWS Direct Connect. VPC endpoints also provide additional security features such as the ability to add policies to control which Amazon Simple Storage Service (Amazon S3) buckets services in a VPC can access or to lock down S3 buckets to specific VPCs. Currently, AWS supports VPC endpoints for connections with Amazon S3 and Amazon DynamoDB only.

This feature is available to EC2 instances running inside of a VPC, however many AWS customers would like to leverage VPC endpoints from remote networks. This webpage describes a highly available and scalable solution for providing access to VPC endpoints from remote networks as depicted in the following high-level diagram.

Highly available, fault-tolerant network connections are key to a well-architected system. When designing remote connectivity solutions, consider the following best practices:

Implement a mechanism to identify, isolate, and route only the specific traffic that needs to use the remote connectivity solution. For example, companies often manage network traffic through DNS mappings, IP address assignments, or application port numbers.

Use highly available and scalable supporting services such as DNS, load balancers, and proxy servers. These services should be designed to support business and application requirements for availability and scalability.

Since VPC endpoints are only accessible from EC2 instances inside a VPC, a local EC2 instance must proxy all remote requests before they can utilize a VPC endpoint connection. The following sections outline a DNS-based proxy solution that directs appropriate traffic from a corporate network to a VPC endpoint for Amazon S3 as depicted in the following diagram.

The first step to leverage a VPC endpoint from a remote network is to identify the traffic to redirect through the endpoint. This solution uses corporate DNS servers to override DNS resolution for VPC-endpoint-specific traffic. In the example above, the DNS servers are configured to resolve s3.amazonaws.com to an internal ELB load balancer, which redirects traffic destined for US Standard S3 buckets to the VPC endpoint. This sends S3 requests from the corporate network to the S3 bucket over a private VPN or AWS Direct Connect connection instead of over the Internet.

The proxy farm proxies S3 traffic to the VPC endpoint. The proxy farm can use access control lists (ACLs) to provide additional control over VPC endpoint traffic. An ACL can specify which remote users or networks are authorized to leverage the solution, and can further restrict the VPC endpoints or destination domains that clients can access. Configure an Auto Scaling group to manage the proxy servers and automatically grow or shrink the number of required instances based on proxy server load.